Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 27 Apr 2015 16:31:55 -0700
From: Alan Coopersmith <>
CC: Marcus Meissner <>, xorg_security@...rg,
Subject: Re: CVE request: X server crash by client

On 04/24/15 08:00 AM, Marcus Meissner wrote:
> Hi,
> We got notified that the fix for CVE-2014-8092 introduced the possibility
> of a division by 0 when the "height" for the PutImage call is 0, leading
> to X server abort.
> This was already fixed in January in X git.
> As this is a local denial of service, but might be triggerable by images with 0 height
> supplied externally, it might need a CVE.

Right - the ability of an already authenticated client to end the X session is
generally not considered a vulnerability in Xorg, since we provide intentional
mechanism to do so already, but doing so because an external data source (web
site, document file, etc.) provided a bad image could be.

	-Alan Coopersmith-    
	  X.Org Security Response Team -

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ